Skip to main content

How do you remove the Mebroot/Sinowal Boot Sector Trojan also called the HelpAssistant Virus?

Blog Post Update: Mebroot can now be removed using Kaspersky TDSSKiller.  For complete steps, please read this remove virus blog post.

The Mebroot Boot Sector Trojan also called Sinowal or the HelpAssistant Virus is a stealth infection that is not normally detected by antivirus/antimalware applications including Malwarebytes  It is a "banking trojan" which attaches itself to the boot sector of a device.  The trojan secretly captures and transmits user banking information without user intervention to outside parties.  The user of the computer is unaware of this process being performed by the trojan. According to Cisco, "Trojan.Mebroot is reported to have infected nearly 300,000 machines and successfully stolen 270,000 bank account numbers and details for 240,000 credit and debit cards.  Trojan.Mebroot does not contain a method of self-propagation and requires some type of user interaction to spread. Users may download this trojan over P2P networks, IRC servers, FTP servers, or in an e-mail attachment sent from the attacker."

The current version of the Mebroot Boot Sector Trojan cannot be removed by any known antivirus/antimalware application.  Previous versions could be removed using vendor tools such as the Symantec Mebroot Removal Tool.  Other methods that would remove previous versions of this infection included the Microsoft Malicious Software Removal Tool, the Microsoft Recovery Console Command FixMBR/FixBoot, the Gmer MBR -F and the Mebroot Fix by NoahDFear.  (FDisk /R is a deprecated command which was replaced by FixMBR.)

At this writing, there is no known method to remove the current version of this infection.  It cannot be removed using a low level nor standard format.  This is due to the fact that this is a boot sector infection with no known removal method.  Strangely, the only solution for the current version of the Mebroot Boot Sector Trojan infection is to replace the hard disc with a new hard disc.  However if you are infected with a previous version of the Mebroot Boot Sector Trojan, the methods mentioned above will in fact resolve this issue.

Please Note: Your Internet Service Provider may classify the Mebroot Boot Sector Trojan as a "Bot Infection" and disable your internet connection.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0BA50E41
malicious code @ sector 0x0BA50E44 !
PE file found in sector at 0x0BA50E5A !
Labels:

Comments

Post a Comment

Popular posts from this blog

Access Denied (policy_denied). Your system policy has denied access to the requested URL. For assistance, contact your network support team.

While browsing the internet, you may encounter the message: "Access Denied (policy_denied).  Your system policy has denied access to the requested URL.  For assistance, contact your network support team."   This message indicates the internet traffic is being filtered.  The most common source of an internet traffic filter is in corporate environments that use a proxy server or a firewall appliance designed to filter web traffic.  Some businesses are configured as satellite locations using a VPN tunnel.  In these configurations, the VPN may be configured to filter internet traffic.  In rare instances, the Internet Service Provider is filtering internet traffic.  Typically though, your IT Department or a Network Management Team has configured your internet traffic to be filtered.  Isolating Source of Web Filtering In an environment that is unmanaged and the source of the filtering is unknown, following are some steps you may wish to peform: Th...
3 comments
Read more

How do you stop an unstoppable Windows Service?

You may encounter a Windows Service in Services that has the buttons for Start, Stop, Pause and Resume greyed out.  If you attempt to stop the Service using sc stop [servicename], you encounter the error message: "The requested control is not valid for this service."  To resolve this issue, please perform the following steps: Click Start - Control Panel - Administrative Tools - Services. Double-click the relevant Service. Change the Service Start-Up Type to Disabled. Click Apply. Click OK. Hit CTRL-ALT-DEL on your keyboard. Select Task Manger. Perform an End Task on the relevant Service. This issue has been resolved. http://www.smartnetadmin.com
Post a Comment
Read more

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

You may encounter the following error message when using the L2TP/IPSec VPN Client that is native to the Windows Operating System: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."  This error message typically occurs when you are using the wrong Pre-Shared Key for your L2TP VPN.  This error message can occur when other components of your configuration are incorrect but the first thing to confirm is that you are using the correct Pre-Shared Key. If you are using the wrong Pre-Shared Key, the L2TP VPN connection will say Connecting for a long period of time and then display the error message: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." If you are using the wrong username or password, the L2TP VPN will immediately respond with: "The remote connection was denied b...
1 comment
Read more